RuneScape Forum Archive | 2FA Account hacked 800mil gone

Dec

2023

Pete Meatza

Posts: 14 Bronze Posts by user Forum Profile RuneMetrics Profile

Here's the thing... I don't use the email I use for OSRS login within a browser. I'm logged out of it. I don't have my account data cached on the browser.
I'm super skeptical of phishing and diligent not to click anything but verified links.

Here is my browsing history of the account (literally the only things that exist are me logging into the browser to view the history...): https://imgur.com/6kV6vEY

27-Feb-2023 19:40:47

2_Tron

Posts: 23,025 Opal Posts by user Forum Profile RuneMetrics Profile

My account is locked ... <- (link)

This link is to '
Jagex's Support Centre
'

If you have shared your acount once, or more, there's a possibility that your account gets locked due to suspicious activity.

27-Feb-2023 21:05:44

Dec

2023

Pete Meatza

Posts: 14 Bronze Posts by user Forum Profile RuneMetrics Profile

The account was unlocked immediately after discovering it was locked. No issues in recovery, the issue was the access of the account through 2FA.

27-Feb-2023 22:06:26

May

2006

Malua

Posts: 43,113 Sapphire Posts by user Forum Profile RuneMetrics Profile

Pete Meatza said :
Would it be possible to silently disable the authenticator if they had my login info ? Was there a QR code breach on Jagex's end for the authenticators? You said your Authenticator was not disabled.
It requires access to the registered email of an account to disable Authenticator and you said your email was not breached.
A QR code breach? Not technically possible. Everybody gets a unique Authenticator.

An account is locked when someone uses the correct information (login/password) and tries to log into the game on it but from an unusual location.
So these hijackers knew your login and password.
Normally, a correct Auth code would allow a login from an unusual location. RuneScape accounts don't travel well but Authenticator makes it possible for them to travel.

This raises some questions in my mind.
Did you try to log into your account while you were away?
If so, were you on a public wi-fi? archerarchr said :
There is another possibility that I guess I'll be the one to say it: That there's somebody within Jagex that has a backdoor around Jagex's shoddy 2fa implementation. This is not unprecedented given the stuff that happened with Mod Jed a few years ago. To address this theory:
Jagex would not auto-lock an account if it was an "inside job".
The motivation behind Mod Jed's activity was not about theft. The motivation was for an entirely different reason. JMods don't need to steal wealth from players accounts. They can auto-generate whatever they want. OP reported the loss of 800 million gp. "You want 800 million gp?" says the dodgy JMod. "OK, give me a few minutes.....Done" No need to pull it out of someone's account.

Forum Community Helper -

Information about Moderators and Community Helpers

28-Feb-2023 00:09:43 - Last edited on 28-Feb-2023 00:14:20 by Malua

Oct

2020

archerarchr

Posts: 13 Bronze Posts by user Forum Profile RuneMetrics Profile

"JMods don't need to steal wealth from players accounts. They can auto-generate whatever they want. OP reported the loss of 800 million gp. "You want 800 million gp?" says the dodgy JMod. "OK, give me a few minutes.....Done" No need to pull it out of someone's account."

I'm sure that JMods auto-generating items is logged and monitored, and if they wanted to get themself a few more Pound Sterling without raising any alarms they could flip a switch on an account to disable 2fa, let their scummy buddies clean the person out, re-enable 2fa, and then leave it to the members of this forum to try and gaslight people into thinking that logging into a public wi-fi network can somehow expose your 2fa codes to other people on the same network.

28-Feb-2023 01:52:43

May

2006

Malua

Posts: 43,113 Sapphire Posts by user Forum Profile RuneMetrics Profile

The minute 2FA is disabled, it is deleted.
Re-enabling 2FA sets up a new Auth.
The OP would know immediately if this happened because their Auth codes would no longer work. As OP stated in their second post that Auth was not disabled, the theory you post cannot have occurred.

Forum Community Helper -

Information about Moderators and Community Helpers

28-Feb-2023 02:20:08

Oct

2020

archerarchr

Posts: 13 Bronze Posts by user Forum Profile RuneMetrics Profile

Malua said :
The minute 2FA is disabled, it is deleted.
Re-enabling 2FA sets up a new Auth.
The OP would know immediately if this happened because their Auth codes would no longer work. As OP stated in their second post that Auth was not disabled, the theory you post cannot have occurred.

The minute 2FA is disabled by conventional methods, sure. If there's a Jagex employee exploiting a backdoor then basing assumptions on what these processes typically look like aren't valid anymore.

28-Feb-2023 02:44:27

Nov

2011

Applejuiceaj

Forum Moderator Posts: 45,000 Sapphire Posts by user Forum Profile RuneMetrics Profile

archerarchr, accusations of an inside job are starting to derail the thread here and are extremely unlikely to occur in present day Jagex, so lets stick to trying to provide assistance based on what the thread author has posted, not conspiracy theories.

28-Feb-2023 05:05:12

2_Tron

Posts: 23,025 Opal Posts by user Forum Profile RuneMetrics Profile

Pete Meatza said :
800 mil of losses and ~100 days of my life in progress gone after I logged in the first time in a week from a trip. Account was locked for suspicious activity, then after recovering I find everything is gone and I'm standing in lumbridge.

2FA has been enabled on my account for the longest time. No email compromise is detected, all devices that have been used are my own, I only use runelite's official plugin. No linked accounts. I simply don't understand what happened... I feel like I played by the rules and followed everything short of a bank pin (thinking 2FA would be infallible) and now everything is gone...

any help, even answers or ideas to what happened would be appreciated... thank you Have you ever logged-in from abroad?
Sorry that I didn't mention that earlier, accounts that travel around the globe do not travel well when they do not meet enough safety requirements. That could also trigger 'suspicious activity' and a lock to protect said account from 'hackers/hijackers/stealing'.
There are also examples that people in ones surrounding do attempt to steal someone's account.
Sometimes the answer to your issue isn't that complicated, sometimes it is so obvious ...

28-Feb-2023 09:36:56

Dec

2023

Pete Meatza

Posts: 14 Bronze Posts by user Forum Profile RuneMetrics Profile

Thanks for the in depth response Malua.

I attempted to load up mobile OSRS via mobile data (may have been a public wifi) I believe, once during my trip. The app didn't even fully load (aka red X screen saying something like "we couldn't connect&quot

so I couldn't even see the login page to attempt to login and I just gave up.

I don't know how it would be possible for someone to have exposed my account from that... but it's worth mentioning. If that's the case that'd be a massive security issue; I'd expect more users to encounter it though.

28-Feb-2023 14:39:02

Forums

2FA Account hacked 800mil gone